mod_auth_kerb credential error for principal

Douglas E. Engert deengert at anl.gov
Thu Mar 22 15:56:43 EDT 2007


A couple of things.
    AD is case insenitive, but Kerberos is not.
    the principal should have lowercase host name.
    fix it now before it causes more problems.


    kinit requires a principal as a parameter.
    kinit -k  \
     -t /usr/local/apache2/conf/apache.keytab \
     HTTP/linuxserver.domain.com at WEG.NET

   Thae account name myuser, should relate tothe
   principal name, aseach principal will need an account.
   (MS called it a user account, it isnot a real user, it is
    forthe service.)

Edson Habowsky wrote:
> Hello,
> 
> I'm facing serious problem with Kerberos ticket 
> 
> I'm trying authenticate Windows users to the Linux apache webserver using Kerberos authenticate method, and for apache mod_auth_kerb.
> 
> Having problems with keytab.
> 
>  
> 
> Targeting domain controller: DCserver.domain.com
> 
> Successfully mapped HTTP/LinuxServer.domain.com to myuser.
> 
> Type the password for HTTP/LinuxServer.domain.com:
> 
> Type the password again to confirm:
> 
> Key created.
> 
> Output keytab to c:\temp\apache.keytab:
> 
> Keytab version: 0x502
> 
> keysize 56 HTTP/LinuxServer.weg.net at WEG.NET ptype 1 (KRB5_NT_PRINCIPAL) vno 23 etyp
> 
> e 0x3 (DES-CBC-MD5) keylength 8 (0x2f342c51891c1c68)
> 
> Account myuser has been set for DES-only encryption.
> 
>  
> 
>> I'm trying use this keytab at the linux apache server with 
> 
>> mod_auth_kerb; and if put the apache.keytab that was just created at windows side, into linux side, it 
> 
>> doesn't work. I got the error when I run the kinit command:
> 
> 
>> #kinit -k -t /usr/local/apache2/conf/apache.keytab
> 
>> kinit(v5): Client not found in Kerberos database while getting initial 
> 
>> credentials
> 
>  
> 
> If I run kinit myuser and put my passwd, it works fine, and after run this, if I run klist it bring me the cached ticket fine.
> 
> Also, if I run kutil and check kvno into the keytab, it give me the right number (same as the one created at windows site through the ktpass).
> 
>  
> 
>  
> 
>> May someone help me please,
> 
>> I'm stuck on this, almost one week, and don't know what else to do.
> 
>  
> 
> Edson Habowsky 
> Departamento de Sistemas de Informação 
> Sc Data Center - Tecnologia 
> Analista de Infra - Servidores/Storage 
> Fone: 55 (47) 3276 4619 - edsonh at weg.net <mailto:edsonh at weg.net>  
> WEG Equipamentos Elétricos S.A. - Corporativo 
> "TRANSFORMANDO ENERGIA EM SOLUÇÕES" 
> 
>  
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list